How BankID at 20 Became Sweden’s Digital Barrier Against Offshore Gambling

BankID fyller 20: hur en svensk app blev standard för digital identitet

BankID turns 20 in 2023, evolving from a simple banking tool to the backbone of Sweden’s online gambling regulation. This analysis examines how the nation’s near-universal digital identity system enables regulators to identify players, enforce self-exclusion via Spelpaus, and effectively block unlicensed offshore casinos from accessing the Swedish market.

BankID: The identity infrastructure underpinning Sweden’s gambling licensing model

When the Swedish Gambling Act (Spellagen, SFS 2018:1138) came into force on 1 January 2019, it mandated that all licensed gambling operators must verify the identity of every player before allowing them to play. BankID, launched in 2003 by Swedish banks and currently overseen by Sveriges Riksbank and the Finansinspektionen, had already achieved near-universal penetration among Swedish adults. By requiring operators to integrate BankID for login and transactions, the regulator Spelinspektionen effectively created a digital gatekeeper.

Today, over 8 million Swedes have an active BankID, making it the de facto standard for all sensitive online interactions – from tax returns to healthcare. For online casinos holding a Swedish licence, BankID is used at registration, each login, and for deposits or withdrawals. This gives Spelinspektionen a real-time audit trail and allows it to verify that players are not minors, not self-excluded via Spelpaus, and that operators are complying with the 18+ age limit and responsible gambling rules.

The result is a closed-loop ecosystem: a player cannot gamble on a licensed site without proving their identity via BankID. Any offshore casino that does not integrate BankID is effectively locked out of the Swedish market, because Swedish consumers cannot use BankID on unlicensed websites – and most Swedish consumers will not trust a casino that does not accept their primary identity method.

How BankID powers Spelpaus – and blocks offshore operators

Spelpaus.se, the national self-exclusion registry launched in 2019, relies entirely on BankID. When a person registers a self-exclusion on Spelpaus, their personal number is instantly shared with every licensed operator via a central database. Operators are legally obliged to deny service to that individual for the chosen duration (1, 3, 6, or 12 months, or permanently). As of October 2023, more than 100,000 Swedes have used Spelpaus, and the system processes over 1 million identity checks daily.

Offshore casinos that target Swedish players without a licence cannot access Spelpaus. They often try to circumvent the law by accepting payment methods like instant bank transfers or Swish, but these too require BankID. Without it, a Swedish player must provide alternative identification – such as passport scans or crypto wallets – which adds friction and increases the risk of fraud. This friction is a powerful deterrent: a 2022 survey by the Swedish Agency for Public Management found that 80% of Swedish gamblers say they would not play on a site that does not accept BankID.

  • Licensed operators using BankID: Approximately 70 online gambling licences active (2023)
  • Self-exclusion via Spelpaus: Over 100,000 registered users
  • Estimated unlicensed market share in Sweden: 15–20% of total online gambling revenue, down from 30% before the 2019 law (source: Spelinspektionen)

Nordic neighbours: Denmark’s MitID, Norway’s BankID and Finland’s pending reform

Sweden is not alone in using digital identity for gambling regulation, but its approach is the most integrated. Denmark, which re-regulated its gambling market in 2010, uses the similarly ubiquitous MitID (formerly NemID) for age verification and for its national self-exclusion system ROFUS. Denmark’s Spillemyndigheden reports that ROFUS had over 30,000 active self-exclusions in 2022. However, Denmark does not mandate MitID for every login – only at registration – making the barrier slightly lower for offshore operators.

Norway, which maintains a state gambling monopoly via Norsk Tipping and Norsk Rikstoto, uses BankID (the same technical standard as Sweden) for all player accounts. Unlicensed offshore casinos are explicitly banned, and Norwegian authorities have used payment blocking orders – often relying on BankID transaction data – to stop flows to those sites. Finland, the only Nordic country still without a licensing system, will introduce a new gambling act in 2026 that is expected to require strong identification, likely Finnish e-ID (the national electronic identity card) but also BankID from Swedish banks is common among Finnish consumers.

Country Digital ID system Mandatory for gambling? Self-exclusion registry Offshore blocking method
Sweden BankID (2003) Yes – login & transaction Spelpaus (2019) Identity verification requirement
Denmark MitID (2021, replacing NemID) Yes – registration only ROFUS (2012) Payment blocking
Norway BankID Yes – login & transaction Norsk Tipping own system Payment blocking & monopoly
Finland Finnish e-ID / BankID Not yet – licensing reform by 2026 Planned Currently limited; reform will change

Legal foundation and EU compatibility

The Swedish Gambling Act explicitly requires operators to have “reliable identification methods” – defined in practice as BankID. The law also introduced a licensing fee of SEK 400,000 per licence and a 18% gambling tax (as of 2023). Critically, the act includes provisions to block payments to unlicensed operators. The EU’s Fourth Anti-Money Laundering Directive (AMLD4) also requires gambling operators to perform customer due diligence, which strengthens the rationale for mandatory digital ID.

Sweden’s approach has faced legal challenges from offshore operators claiming restrictions violate EU freedom of services. In 2021, the EU Commission opened an infringement procedure against Sweden regarding the payment blocking rules, but the case was closed in 2022 after Sweden provided justifications based on public health and consumer protection. The European Court of Justice has consistently ruled that member states may impose stricter regulations on gambling for public interest reasons, provided they are proportionate and non-discriminatory – a standard Sweden meets by applying the same rules to all operators equally.

Spelinspektionen, the Swedish regulator, has increasingly used its enforcement powers. In 2022 alone, it issued fines totalling SEK 65 million to licensed operators for compliance failures, and it referred 20 unlicensed domains to internet service providers for blocking. BankID transaction logs have been central to these investigations, allowing auditors to spot patterns of underage gambling or self-excluded players slipping through.

Challenges ahead: crypto casinos, payment bypass and cross-border friction

Despite BankID’s strength, offshore operators adapt. Many now accept cryptocurrencies such as Bitcoin or stablecoins, which bypass traditional payment systems and identity verification entirely. Swedish players can deposit via crypto without ever using BankID – a loophole that Spelinspektionen has struggled to close. In 2023, the regulator warned that the share of unlicensed gambling may be rising again, driven by crypto-friendly casinos.

Another vulnerability is cross-border identity: Swedes living abroad or dual citizens may hold other digital IDs (such as Norwegian BankID or Danish MitID) and use them on offshore sites registered in neighbouring countries. The EU’s eIDAS regulation (2014/910/EU) encourages mutual recognition of electronic IDs, but Sweden has not yet integrated foreign IDs into Spelpaus. As a result, an operator licensed in Malta can accept a Norwegian BankID user from Sweden, creating a grey area. The independent Swedish reference site utländskacasino.se tracks how Sweden regulates offshore casinos and the wider market.

A proposed amendment to the Swedish Gambling Act, expected in 2024, would extend the duty of care to include “alternative forms of identification” and require operators to check player addresses against the Swedish Population Register. Meanwhile, the Spelinspektionen is pushing for an EU-wide self-exclusion database – a step that would complement BankID’s domestic success with a supranational layer of consumer protection.

Sources